In a survey, IT workers hold bleak views on cloud security and data breach costs

InfoWorld|Jun 9, 2014

Is a data breach worse if it happens in the cloud? Given that a recent Ponemon Institute report is entitled "Data Breach: The Cloud Multiplier Effect," it sounds like the answer is yes. But the report hints at another conclusion that's at least as significant as any dollars-and-cents cost of a security breach: the generally low opinion held by IT folks about cloud security.

The report, conducted by the Ponemon Institute and sponsored by cloud-app analytics firm Netskope, tries to put numbers -- even if self-estimated -- on the cost of a data breach in the cloud. It finds that because of the way cloud resources are handled in some organizations, a data breach could be up to three times costlier if it happens in the cloud.

Ponemon assembled its data based on responses from more than 600 U.S.-based IT and IT security practitioners "who are familiar with their company's usage of cloud services." The three key takeaways:

Many of those surveyed don't believe their companies are properly vetting cloud services for security.

Certain activities, such as a rapid expansion of operations, can boost the price tag for a data loss breach.

The costliest data breaches for high-value intellectual property occur when a company tries to bring its own cloud.

The respondents' misgivings about security don't stop at their employers; it covers cloud services too. Seventy-two percent believed their cloud service providers wouldn't alert them to a data breach that involved the theft of confidential business data, and 71 percent believed the same would happen if customer data were stolen.

Beyond that, many organizations don't feel they have enough of an insight into what data, or how much of it, is actually in the cloud. Although the metrics were self-estimated in this roundup, the report notes self-estimation may be unavoidable because some of those applications could fall under shadow IT.

Because data breaches aren't all alike, the report asked the respondents about the likelihood of data breaches rising for various scenarios. The biggest response: 90 percent believed a breach would come when increasing backups and storage of sensitive or confidential data by 50 percent over a 12-month period. When boosting the use of cloud services by 50 percent over the same timeframe, the likelihood was 86 percent. Moving the data center from the United States to an offshore location, by contrast, only ranked at 65 percent. Again, these numbers are self-reported estimates and don't come from analyses of actual breaches.

Most ambitious, the report attempts to estimate the average economic impact of a data breach in the cloud. Ponemon calculated that a breach involving 100,000 or more records of stolen personal data could increase from an average of $2.4 million to anywhere between $4 million and $7.3 million. For a theft of high-value IP or confidential data, the costs were estimated to balloon from around $3 million to $5.4 million.

Although the baselines for those numbers were drawn from Ponemon's other research into the costs of data breaches, the self-reporting nature of the survey makes it tough to determine if the calculations are as useful. Another possible quibble with the report is the low response rate; 16,330 people were targeted for the survey, but only 4.2 percent responded, with only 3.8 percent actually used in the end.

What does stand out is how poorly cloud security seems to be regarded within the IT departments that responded -- even if that attitude is mainly perceptual (as InfoWorld's David Linthicum has noted) rather than based on facts and real-world statistics.